[BreachExchange] Maze Ransomware Victim Sues Anonymous Attackers
Destry Winant
destry at riskbasedsecurity.com
Tue Jan 7 10:18:28 EST 2020
https://www.databreachtoday.com/maze-ransomware-victim-sues-anonymous-attackers-a-13574
A Georgia manufacturer that was hit by the Maze ransomware gang is
fighting back by suing its attackers even though their true identity
remains unknown.
See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful
What You Wish For.
On Tuesday, Southwire, a cable and wire manufacturer based in
Carrollton, Georgia, filed a civil lawsuit against its "John Doe" Maze
gang attacker or attackers in Georgia federal court.
At the same time, the company obtained a court injunction in Ireland
to force offline a website - being hosted by an Irish service provider
- that was being used by the Maze gang to try to name and shame
victims and also dump data the gang stole from victims before leaving
their systems crypto-locked.
Southwire Company v. John Doe (partially redacted)
News of the U.S. lawsuit was first reported by Bleeping Computer. News
of Southwire's successful attempt to obtain an injunction in Irish
court was first reported by TheJournal.ie.
Southwire, which has $6 billion in annual revenue and more than 8,000
employees worldwide, was hit by Maze ransomware on Dec. 9, disrupting
its business. At the time, Bleeping Computer reported that the Maze
gang had demanded 850 bitcoins in ransom ransomware, then worth $6.1
million (see: Georgia Wire Manufacturer Struck by Ransomware).
The company has refused to pay the ransom and instead responded by
filing a lawsuit against its blackmailers.
Southwire seeks "compensatory damages and injunctive relief" via its
lawsuit, which alleges that the Maze gang violated the U.S. Computer
Fraud and Abuse Act by accessing its systems and disrupting them and
dumping stolen data online.
"Plaintiff has already been irreparably harmed by defendant's illegal
misappropriation and public dissemination of Southwire's data," the
lawsuit states. "Additionally, news of the incident and the
defendant's exploits has been spread to various media outlets by the
defendant in an effort to harm Southwire's reputation and alarm its
customers, vendors, and employees."
But the use of "John Doe" in the lawsuit reflects Southwire not
knowing the true name of the defendant or defendants.
Blackmail Attempt
After hitting Southwire, the Maze gang threatened to dump stolen data
unless the organization paid the $6.1 million ransom in bitcoins (see:
Maze Ransomware Gang Names More Alleged Victims).
"We have also downloaded a lot of data from your network, so in case
of not paying this data will be released," the gang warned in its
ransom note, a copy of which is labeled "exhibit A" and included with
Southwire's U.S. lawsuit. "If you don't believe we have any data, you
can contact us and ask a proof. Also you can Google 'Allied Universal
Maze Ransomware.'"
The gang's threat referred to its having leaked 700 MB of data it
stole from Allied Universal, a California-based security services
firm, in November. The gang told Bleeping Computer at that time that
it had stolen 5 GB and planned to send the rest to WikiLeaks if the
company didn't pay 300 bitcoins (see: Ransomware Attackers Leak Stolen
Data).
The Maze ransomware gang has also taken credit for infecting the city
of Pensacola, Florida, among many other victims. After Pensacola
officials refused to pay a ransom, the gang leaked 2 GB of what it
claimed was 33.2 GB of data it had stolen from the city.
FBI: Maze 'Flash' Alert
Last week, the FBI issued a "flash" alert to private U.S. firms,
warning about the continuing threat posed by ransomware, reported
CyberScoop, which obtained a copy of the alert.
"From its initial observation, Maze used multiple methods for
intrusion, including the creation of malicious look-a-like
cryptocurrency sites and malspam campaigns impersonating government
agencies and well-known security vendors," the advisory states. "In a
late November 2019 attack, Maze actors threatened to publicly release
confidential and sensitive files from a U.S.-based victim in an effort
to ensure ransom payment."
While the bureau doesn't name the victim, the details match what
happened to Allied Universal.
Maze Gang Leaks Southwire Data
The Southwire lawsuit notes: "After plaintiff did not pay the ransom
demanded by defendant, a portion of plaintiff's stolen confidential
and sensitive information was publicly posted to [redacted] ...
Defendant has threatened to expose further confidential and sensitive
information to the public if the ransom payment is not made in the
coming days."
The cat-and-mouse game has continued to escalate, with the
manufacturer suing its attackers.
"This is a bold but risky move by Southwire," Emsisoft threat analyst
Brett Callow tells Bleeping Computer. "It could push the Maze Group
into releasing all of the company's data, while the website takedown
could result in a game of whack-a-mole in which the data is published
in other, possibly more visible, locations."
Victim Obtains Injunction in Ireland
On Thursday, Southwire obtained an injunction in Irish court forcing
offline a domain being used by the Maze gang. The domain name was
first registered on Dec. 9 with Namecheap, a domain name registrar
based in Los Angeles, and was being hosted on a dedicated server
leased from a Cork, Ireland-based firm called World Hosting Farm
Limited, according to public WHOIS data.
Information Security Media Group has chosen to not publicize the
attackers' domain name because it might aid their blackmail efforts.
Southwire wrote to WHFL, requesting that they cease and desist hosting
a website that contained confidential, stolen information and victim
lists, but received no response, the company's defense counsel told a
court in Ireland on Thursday, TheJournal.ie reported.
As a result, the company sought a court injunction against the owner
and director of WHFL, which is listed in Irish corporation records as
Artur Grabowski of St. Budzynskiego, in Stupsk, Poland; the company's
secretary, listed as a Dublin-based firm called Admiral Tax Limited;
and Janusz Dybko, who is listed as being the contact person for the
Maze address, TheJournal.ie reported.
Counsel told the court that WHFL is listed as having been dissolved,
TheJournal.ie reported.
There is no indication that any of those individuals or corporate
entities have anything to do with the Maze gang, aside from leasing
hosting space that the Maze gang used to try and name and shame
victims.
Maze Site Offline
As of Friday, the Maze gang's domain name no longer resolved to a
working IP address.
Banner atop the Maze gang's site that listed purported victims that
refused to meet its ransom demands, and which also published some
information that had been stolen from victims. As of Jan. 2, the site
was offline, thanks to a court injunction in Ireland.
ISMG has not received a response to a request for comment from
Southwire's counsel, Jonathan S. Klein of New York-based law firm
Mayer Brown LLP, on whether Southwire had attempted to work through
U.S. law enforcement agency - such as the FBI - to work with their
Irish counterparts and get the site taken down.
One likely possibility is that law enforcement agencies have been
monitoring the website for clues to the Maze gang's identity. If gang
members forgot to mask their IP address using a VPN or proxy server,
for example, it could help investigators ascertain attackers' true
identity (see: Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy
Bear').
More information about the BreachExchange
mailing list